Both companies have issued fixes to address exploits that were posted online and after they found the exploits represent real threats to some of their products, including versions of Cisco’s popular PIX and ASA firewalls and versions of Fortinet’s signature Fortigate firewalls.

Other exploits may affect Watchguard and TOPSEC products, but those companies did not immediately respond to inquiries. When they do this story will be updated.

The exploits were posted as proof that a group called Shadow Brokers actually had in its possession malware that it claimed it hacked from the NSA.

While the exploits date from 2013 at the latest, Cisco says it just learned about one of them when Shadow Brokers made it public. Cisco already knew about a second one and had patched for it. Fortinet’s lone security advisory is fresh.

Speculation is that Russia is behind releasing the exploits as a political move to blunt U.S. reaction to Russia’s alleged hack of the Democratic National Committee.

Cisco rates the threat level of the newly discovered vulnerability - Cisco Adaptive Security Appliance SNMP Remote Code Execution Vulnerability - as high because it could allow execution of remote code on affected devices and obtain full control. “The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted SNMP packets to the affected system,” the advisory says.

The other vulnerability - Cisco ASA CLI Remote Code Execution Vulnerability – is one Cisco has known about since 2011 when it issued a fix for it. The company has issued a fresh security advisory for it in order to raise awareness so customers will make sure they’ve got software versions that patch the problem.

This vulnerability is ranked medium, and if exploited “could allow an authenticated, local attacker to create a denial of service (DoS) condition or potentially execute arbitrary code. An attacker could exploit this vulnerability by invoking certain invalid commands in an affected device,” the advisory says.

Fortinet has issued a security advisory for what it calls the Cookie Parser Buffer Overflow Vulnerability, whose importance it rates as high because it allows remote administrative access.

It affects certain Fortigate firmware called FOS released before August 2012. The affected versions are:

FOS 4.3.8 and below

FOS 4.2.12 and below

FOS 4.1.10 and below

“Customers running FortiGate firmware 5.0 and above, released in August 2012 are not impacted,” according to an emailed statement from Fortigate. “We continue to investigate this exploit and are conducting an additional review of all of our Fortinet products. If we identify any new information useful to our customers, we will share it through our responsible disclosure policy.”

This story, "Cisco, Fortinet issue patches against NSA malware" was originally published by
Network World.